CoCalc -- ftpbounce.rb

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/portscan/ftpbounce.rb
²¹³⁶⁷ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Order is important here
9
  include Msf::Auxiliary::Report
10
  include Msf::Auxiliary::Scanner
11
  include Msf::Exploit::Remote::Ftp
12

13
  def initialize
14
    super(
15
      'Name' => 'FTP Bounce Port Scanner',
16
      'Description' => %q{
17
        Enumerate TCP services via the FTP bounce PORT/LIST
18
        method.
19
      },
20
      'Author' => 'kris katterjohn',
21
      'License' => MSF_LICENSE
22
    )
23

24
    register_options([
25
      OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-10000"]),
26
      OptAddress.new('BOUNCEHOST', [true, "FTP relay host"]),
27
      OptPort.new('BOUNCEPORT', [true, "FTP relay port", 21]),
28
      OptInt.new('DELAY', [true, "The delay between connections, per thread, in milliseconds", 0]),
29
      OptInt.new('JITTER', [true, "The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.", 0])
30
    ])
31

32
    deregister_options('RPORT')
33
  end
34

35
  # No IPv6 support yet
36
  def support_ipv6?
37
    false
38
  end
39

40
  def rhost
41
    datastore['BOUNCEHOST']
42
  end
43

44
  def rport
45
    datastore['BOUNCEPORT']
46
  end
47

48
  def run_host(ip)
49
    ports = Rex::Socket.portspec_crack(datastore['PORTS'])
50
    if ports.empty?
51
      raise Msf::OptionValidateError.new(['PORTS'])
52
    end
53

54
    jitter_value = datastore['JITTER'].to_i
55
    if jitter_value < 0
56
      raise Msf::OptionValidateError.new(['JITTER'])
57
    end
58

59
    delay_value = datastore['DELAY'].to_i
60
    if delay_value < 0
61
      raise Msf::OptionValidateError.new(['DELAY'])
62
    end
63

64
    return if not connect_login
65

66
    ports.each do |port|
67
      # Clear out the receive buffer since we're heavily dependent
68
      # on the response codes.  We need to do this between every
69
      # port scan attempt unfortunately.
70
      while true
71
        r = sock.get_once(-1, 0.25)
72
        break if not r or r.empty?
73
      end
74

75
      begin
76
        # Add the delay based on JITTER and DELAY if needs be
77
        add_delay_jitter(delay_value, jitter_value)
78

79
        host = (ip.split('.') + [port / 256, port % 256]).join(',')
80
        resp = send_cmd(["PORT", host])
81

82
        if resp =~ /^5/
83
          # print_error("Got error from PORT to #{ip}:#{port}")
84
          next
85
        elsif not resp
86
          next
87
        end
88

89
        resp = send_cmd(["LIST"])
90

91
        if resp =~ /^[12]/
92
          print_good(" TCP OPEN #{ip}:#{port}")
93
          report_service(:host => ip, :port => port)
94
        end
95
      rescue ::Exception
96
        print_error("Unknown error: #{$!}")
97
      end
98
    end
99
  end
100
end
101

102
Product

Resources

Company
